1. Manuals
  2. Tumbleweed
  3. polkit-default-privs
  4. polkit-default-privs(5)

Scroll to navigation

POLKIT-DEFAULT-PRI(5)   POLKIT-DEFAULT-PRI(5)

NAME

polkit-default-privs - configuration of polkit security profiles

DESCRIPTION

The files in /usr/etc/polkit-default-privs/profiles define different security profiles that influence the authorization required for various polkit actions used across applications. These files are line based and whitespace delimited.

Lines starting with # are comments. Comments and empty lines will be ignored. All other lines consist of two whitespace delimited columns ACTION and AUTHORIZATION. The ACTION column specifies the polkit action name to configure the default polkit authorization settings for.

The AUTHORIZATION column consists of colon separated fields of the form ANY-USER:INACTIVE-CONSOLE:ACTIVE-CONSOLE. Each of the fields can have one of the values auth_admin, auth_admin_keep, auth_self, auth_self_keep, no and yes. For the meaning of these values see polkit(8). The field ACTIVE-CONSOLE determines the authorization required for active users on a local console. The field INACTIVE-CONSOLE determines the authorization required for inactive users on a local console (e.g. a locked graphical session). The field ANY-USER determines the authorization required for all others users (e.g. remotely logged in via SSH). If all three fields carry the same value then the column can be shortened to a single field without a separating colon. This setting will then apply to all three field types.

Changes in these files don’t take effect immediately. The settings need to be converted into polkit java script code. This can be achieved by calling set_polkit_default_privs(8).

PROFILE TYPES

There exist three profile types for setting polkit default privileges. The selection of the profile is performed via the setting POLKIT_DEFAULT_PRIVS in /etc/sysconfig/security. The following profile types exist:

restrictive: conservative settings that require the root user password for a lot of actions and disable certain actions completely for remote users. This should only be used on systems where security requirements are high and for experienced users. Usability can suffer a bit, especially on desktop systems, so custom tuning of polkit rules might become necessary.

standard: balanced settings that restrict sensitive actions to require root authentication but allow less dangerous operations for regular logged in users. This should be used on server systems or multi-user systems.

easy: settings that are focused on ease of use. This sacrifices security to some degree to allow a more seamless user experience without interruptions in the workflow due to password prompts. This should only be used for single-user desktop systems.

local: this is a custom profile that can be used on top of the predefined profiles. Configuration items from this profile always take precedence and thus override the predefined profiles. Therefore this profile can be customized to loosen or tighten certain polkit actions.

EXAMPLES

org.spice-space.lowlevelusbaccess auth_admin:auth_self:yes

This line configures the org.spice-space.lowlevelusbaccess polkit action to require admin authentication for remote users, the own account password for inactive users and no authentication for active users.

net.connman.modify auth_admin

This line configures the net.connman.modify polkit action to require admin authentication for all three user context types: remote users, inactive users and active users.

FILES

/usr/etc/polkit-default-privs/local.template is a template for /etc/polkit-default-privs.local

/usr/etc/polkit-default-privs/profiles/restrictive

/usr/etc/polkit-default-privs/profiles/standard

/usr/etc/polkit-default-privs/profiles/easy

SEE ALSO

set_polkit_default_privs(8), polkit(8)

AUTHORS

Written by Ludwig Nussel <ludwig.nussel@suse.de>

Man page written by Matthias Gerstner <matthias.gerstner@suse.de>

REPORTING BUGS

Report bugs to https://bugzilla.suse.com/

07/20/2021